Commit 6dc7838104df4c3c1e26a0b74e032e163c1b1b65
1 parent
b0821ca9
Merged in from STABLE trunk...
KTS-1978 "XSS Prevention by sanitizing inputs from users" Added sanitize() to various user inputs. Thanks to John Hale for his work on this! Committed By: Kevin Reviewed By: Conrad git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@6708 c91229c3-7414-0410-bfa2-8a42b809f60b
Showing
8 changed files
with
27 additions
and
27 deletions
lib/sanitize.inc
| ... | ... | @@ -44,7 +44,9 @@ function sanitize($string) { |
| 44 | 44 | } |
| 45 | 45 | |
| 46 | 46 | // This might be a little too aggressive |
| 47 | - $pattern = "([^[:alpha:]|^_\.\ \:-])"; | |
| 47 | + //$pattern = "([^[:alpha:]|^_\.\ \:-])"; | |
| 48 | + // Allow numeric characters | |
| 49 | + $pattern = "([^[:alnum:]|^_\.\ \:-])"; | |
| 48 | 50 | return ereg_replace($pattern, '', $string); |
| 49 | 51 | } |
| 50 | 52 | ... | ... |
lib/util/sanitize.inc
| ... | ... | @@ -44,7 +44,9 @@ function sanitize($string) { |
| 44 | 44 | } |
| 45 | 45 | |
| 46 | 46 | // This might be a little too aggressive |
| 47 | - $pattern = "([^[:alpha:]|^_\.\ \:-])"; | |
| 47 | + //$pattern = "([^[:alpha:]|^_\.\ \:-])"; | |
| 48 | + // Allow numeric characters | |
| 49 | + $pattern = "([^[:alnum:]|^_\.\ \:-])"; | |
| 48 | 50 | return ereg_replace($pattern, '', $string); |
| 49 | 51 | } |
| 50 | 52 | ... | ... |
plugins/ktcore/document/edit.php
| ... | ... | @@ -40,9 +40,9 @@ require_once(KT_LIB_DIR . '/documentmanagement/documentutil.inc.php'); |
| 40 | 40 | require_once(KT_LIB_DIR . '/triggers/triggerregistry.inc.php'); |
| 41 | 41 | require_once(KT_LIB_DIR . '/permissions/permission.inc.php'); |
| 42 | 42 | require_once(KT_LIB_DIR . '/permissions/permissionutil.inc.php'); |
| 43 | - | |
| 44 | 43 | require_once(KT_LIB_DIR . "/widgets/forms.inc.php"); |
| 45 | 44 | require_once(KT_LIB_DIR . "/metadata/fieldsetregistry.inc.php"); |
| 45 | +require_once(KT_LIB_DIR . "/util/sanitize.inc"); | |
| 46 | 46 | |
| 47 | 47 | // {{{ KTDocumentEditAction |
| 48 | 48 | class KTDocumentEditAction extends KTDocumentAction { |
| ... | ... | @@ -191,7 +191,7 @@ class KTDocumentEditAction extends KTDocumentAction { |
| 191 | 191 | if ($this->oDocument->getDocumentTypeId() != $doctypeid) { |
| 192 | 192 | $this->oDocument->setDocumentTypeId($doctypeid); |
| 193 | 193 | } |
| 194 | - $this->oDocument->setName($data['document_title']); | |
| 194 | + $this->oDocument->setName(sanitize($data['document_title'])); | |
| 195 | 195 | $res = $this->oDocument->update(); |
| 196 | 196 | if (PEAR::isError($res)) { |
| 197 | 197 | $oForm->handleError(sprintf(_kt("Unexpected failure to update document title: %s"), $res->getMessage())); | ... | ... |
plugins/ktcore/folder/Rename.php
| ... | ... | @@ -30,13 +30,12 @@ |
| 30 | 30 | */ |
| 31 | 31 | |
| 32 | 32 | require_once(KT_LIB_DIR . '/actions/folderaction.inc.php'); |
| 33 | - | |
| 34 | 33 | require_once(KT_LIB_DIR . "/widgets/fieldsetDisplay.inc.php"); |
| 35 | 34 | require_once(KT_LIB_DIR . "/widgets/FieldsetDisplayRegistry.inc.php"); |
| 36 | 35 | require_once(KT_LIB_DIR . "/foldermanagement/folderutil.inc.php"); |
| 37 | 36 | require_once(KT_LIB_DIR . "/documentmanagement/observers.inc.php"); |
| 38 | - | |
| 39 | 37 | require_once(KT_LIB_DIR . "/documentmanagement/documentutil.inc.php"); |
| 38 | +require_once(KT_LIB_DIR . "/util/sanitize.inc"); | |
| 40 | 39 | |
| 41 | 40 | class KTFolderRenameAction extends KTFolderAction { |
| 42 | 41 | var $sName = 'ktcore.actions.folder.rename'; |
| ... | ... | @@ -88,8 +87,7 @@ class KTFolderRenameAction extends KTFolderAction { |
| 88 | 87 | } |
| 89 | 88 | } |
| 90 | 89 | |
| 91 | - $res = KTFolderUtil::rename($this->oFolder, $sFolderName, $this->oUser); | |
| 92 | - | |
| 90 | + $res = KTDocumentUtil::rename($this->oDocument, sanitize($sFilename), $this->oUser); | |
| 93 | 91 | if (PEAR::isError($res)) { |
| 94 | 92 | $_SESSION['KTErrorMessage'][] = $res->getMessage(); |
| 95 | 93 | redirect(KTBrowseUtil::getUrlForFolder($this->oFolder)); | ... | ... |
plugins/ktcore/folder/addDocument.php
| ... | ... | @@ -30,15 +30,13 @@ |
| 30 | 30 | */ |
| 31 | 31 | |
| 32 | 32 | require_once(KT_LIB_DIR . '/actions/folderaction.inc.php'); |
| 33 | - | |
| 34 | 33 | require_once(KT_LIB_DIR . "/widgets/fieldsetDisplay.inc.php"); |
| 35 | 34 | require_once(KT_LIB_DIR . "/widgets/FieldsetDisplayRegistry.inc.php"); |
| 36 | 35 | require_once(KT_LIB_DIR . "/foldermanagement/folderutil.inc.php"); |
| 37 | 36 | require_once(KT_LIB_DIR . "/documentmanagement/observers.inc.php"); |
| 38 | - | |
| 39 | 37 | require_once(KT_LIB_DIR . "/documentmanagement/documentutil.inc.php"); |
| 40 | - | |
| 41 | 38 | require_once(KT_LIB_DIR . "/metadata/fieldsetregistry.inc.php"); |
| 39 | +require_once(KT_LIB_DIR . "/util/sanitize.inc"); | |
| 42 | 40 | |
| 43 | 41 | class KTFolderAddDocumentAction extends KTFolderAction { |
| 44 | 42 | var $sName = 'ktcore.actions.folder.addDocument'; |
| ... | ... | @@ -282,8 +280,8 @@ class KTFolderAddDocumentAction extends KTFolderAction { |
| 282 | 280 | ); |
| 283 | 281 | |
| 284 | 282 | $aFile = $this->oValidator->validateFile($extra_d['file'], $aErrorOptions); |
| 285 | - $sTitle = $extra_d['document_name']; | |
| 286 | - | |
| 283 | + $sTitle = sanitize($extra_d['document_name']); | |
| 284 | + | |
| 287 | 285 | $iFolderId = $this->oFolder->getId(); |
| 288 | 286 | $aOptions = array( |
| 289 | 287 | 'contents' => new KTFSFileLike($aFile['tmp_name']), | ... | ... |
plugins/ktstandard/KTDiscussion.php
| ... | ... | @@ -32,7 +32,7 @@ |
| 32 | 32 | require_once(KT_LIB_DIR . '/widgets/fieldWidgets.php'); |
| 33 | 33 | require_once(KT_LIB_DIR . '/discussions/DiscussionThread.inc'); |
| 34 | 34 | require_once(KT_LIB_DIR . '/discussions/DiscussionComment.inc'); |
| 35 | - | |
| 35 | +require_once(KT_LIB_DIR . "/util/sanitize.inc"); | |
| 36 | 36 | |
| 37 | 37 | define('DISCUSSION_OPEN', 0); |
| 38 | 38 | define('DISCUSSION_CONCLUSION', 1); |
| ... | ... | @@ -177,8 +177,8 @@ class KTDocumentDiscussionAction extends KTDocumentAction { |
| 177 | 177 | $oComment = DiscussionComment::createFromArray(array( |
| 178 | 178 | 'threadid' => $oThread->getId(), |
| 179 | 179 | 'userid' => $this->oUser->getId(), |
| 180 | - 'subject' => $sSubject, | |
| 181 | - 'body' => KTUtil::formatPlainText($sBody), | |
| 180 | + 'subject' => sanitize($sSubject), | |
| 181 | + 'body' => sanitize(KTUtil::formatPlainText($sBody)), | |
| 182 | 182 | )); |
| 183 | 183 | $aErrorOptions['message'] = _kt("There was an error adding the comment to the thread"); |
| 184 | 184 | $this->oValidator->notError($oComment, $aErrorOptions); |
| ... | ... | @@ -306,8 +306,8 @@ class KTDocumentDiscussionAction extends KTDocumentAction { |
| 306 | 306 | $oComment = DiscussionComment::createFromArray(array( |
| 307 | 307 | 'threadid' => $oThread->getId(), |
| 308 | 308 | 'userid' => $this->oUser->getId(), |
| 309 | - 'subject' => $sSubject, | |
| 310 | - 'body' => KTUtil::formatPlainText($sBody), | |
| 309 | + 'subject' => sanitize($sSubject), | |
| 310 | + 'body' => sanitize(KTUtil::formatPlainText($sBody)), | |
| 311 | 311 | )); |
| 312 | 312 | $aErrorOptions['message'] = _kt("There was an error adding the comment to the thread"); |
| 313 | 313 | $this->oValidator->notError($oComment, $aErrorOptions); |
| ... | ... | @@ -387,7 +387,7 @@ class KTDocumentDiscussionAction extends KTDocumentAction { |
| 387 | 387 | } |
| 388 | 388 | |
| 389 | 389 | $aErrorOptions['message'] = _kt("No reason provided"); |
| 390 | - $sReason = $this->oValidator->validateString(KTUtil::arrayGet($_REQUEST, 'reason'), $aErrorOptions); | |
| 390 | + $sReason = sanitize($this->oValidator->validateString(KTUtil::arrayGet($_REQUEST, 'reason'), $aErrorOptions)); | |
| 391 | 391 | |
| 392 | 392 | if($iStateId > $oThread->getState()) { |
| 393 | 393 | $sTransactionNamespace = 'ktcore.transactions.collaboration_step_approve'; | ... | ... |
search/simpleSearch.php
| ... | ... | @@ -37,11 +37,10 @@ require_once(KT_LIB_DIR . "/util/ktutil.inc"); |
| 37 | 37 | require_once(KT_LIB_DIR . "/browse/DocumentCollection.inc.php"); |
| 38 | 38 | require_once(KT_LIB_DIR . "/browse/BrowseColumns.inc.php"); |
| 39 | 39 | require_once(KT_LIB_DIR . "/browse/PartialQuery.inc.php"); |
| 40 | - | |
| 41 | 40 | require_once(KT_LIB_DIR . "/foldermanagement/Folder.inc"); |
| 42 | - | |
| 43 | 41 | require_once(KT_LIB_DIR . '/browse/columnregistry.inc.php'); |
| 44 | 42 | require_once(KT_LIB_DIR . '/actions/bulkaction.php'); |
| 43 | +require_once(KT_LIB_DIR . "/util/sanitize.inc"); | |
| 45 | 44 | |
| 46 | 45 | class SimpleSearchTitleColumn extends TitleColumn { |
| 47 | 46 | function setSearch($sSearch) { |
| ... | ... | @@ -143,7 +142,7 @@ class SimpleSearchDispatcher extends KTStandardDispatcher { |
| 143 | 142 | $aErrorOptions = array( |
| 144 | 143 | "message" => _kt("Please provide a search term"), |
| 145 | 144 | ); |
| 146 | - $searchable_text = KTUtil::arrayGet($_REQUEST, "fSearchableText"); | |
| 145 | + $searchable_text = sanitize(KTUtil::arrayGet($_REQUEST, "fSearchableText")); | |
| 147 | 146 | $this->oValidator->notEmpty($searchable_text, $aErrorOptions); |
| 148 | 147 | |
| 149 | 148 | ... | ... |
view.php
| ... | ... | @@ -35,6 +35,7 @@ require_once(KT_LIB_DIR . "/templating/kt3template.inc.php"); |
| 35 | 35 | require_once(KT_LIB_DIR . "/dispatcher.inc.php"); |
| 36 | 36 | require_once(KT_LIB_DIR . "/util/ktutil.inc"); |
| 37 | 37 | require_once(KT_LIB_DIR . "/database/dbutil.inc"); |
| 38 | +require_once(KT_LIB_DIR . "/util/sanitize.inc"); | |
| 38 | 39 | |
| 39 | 40 | // document related includes |
| 40 | 41 | require_once(KT_LIB_DIR . "/documentmanagement/Document.inc"); |
| ... | ... | @@ -94,12 +95,12 @@ class ViewDocumentDispatcher extends KTStandardDispatcher { |
| 94 | 95 | function do_main() { |
| 95 | 96 | // fix legacy, broken items. |
| 96 | 97 | if (KTUtil::arrayGet($_REQUEST, "fDocumentID", true) !== true) { |
| 97 | - $_REQUEST["fDocumentId"] = KTUtil::arrayGet($_REQUEST, "fDocumentID"); | |
| 98 | + $_REQUEST["fDocumentId"] = sanitize(KTUtil::arrayGet($_REQUEST, "fDocumentID")); | |
| 98 | 99 | unset($_REQUEST["fDocumentID"]); |
| 99 | 100 | } |
| 100 | 101 | |
| 101 | 102 | $document_data = array(); |
| 102 | - $document_id = KTUtil::arrayGet($_REQUEST, 'fDocumentId'); | |
| 103 | + $document_id = sanitize(KTUtil::arrayGet($_REQUEST, 'fDocumentId')); | |
| 103 | 104 | if ($document_id === null) { |
| 104 | 105 | $this->oPage->addError(sprintf(_kt("No document was requested. Please <a href=\"%s\">browse</a> for one."), KTBrowseUtil::getBrowseBaseUrl())); |
| 105 | 106 | return $this->do_error(); |
| ... | ... | @@ -250,7 +251,7 @@ class ViewDocumentDispatcher extends KTStandardDispatcher { |
| 250 | 251 | function do_viewComparison() { |
| 251 | 252 | |
| 252 | 253 | $document_data = array(); |
| 253 | - $document_id = KTUtil::arrayGet($_REQUEST, 'fDocumentId'); | |
| 254 | + $document_id = sanitize(KTUtil::arrayGet($_REQUEST, 'fDocumentId')); | |
| 254 | 255 | if ($document_id === null) { |
| 255 | 256 | $this->oPage->addError(sprintf(_kt("No document was requested. Please <a href=\"%s\">browse</a> for one."), KTBrowseUtil::getBrowseBaseUrl())); |
| 256 | 257 | return $this->do_error(); |
| ... | ... | @@ -258,7 +259,7 @@ class ViewDocumentDispatcher extends KTStandardDispatcher { |
| 258 | 259 | |
| 259 | 260 | $document_data["document_id"] = $document_id; |
| 260 | 261 | |
| 261 | - $base_version = KTUtil::arrayGet($_REQUEST, 'fBaseVersion'); | |
| 262 | + $base_version = sanitize(KTUtil::arrayGet($_REQUEST, 'fBaseVersion')); | |
| 262 | 263 | |
| 263 | 264 | // try get the document. |
| 264 | 265 | $oDocument =& Document::get($document_id, $base_version); |
| ... | ... | @@ -283,7 +284,7 @@ class ViewDocumentDispatcher extends KTStandardDispatcher { |
| 283 | 284 | $this->aBreadcrumbs = array_merge($this->aBreadcrumbs, KTBrowseUtil::breadcrumbsForDocument($oDocument, $aOptions)); |
| 284 | 285 | $this->oPage->setBreadcrumbDetails(_kt("compare versions")); |
| 285 | 286 | |
| 286 | - $comparison_version = KTUtil::arrayGet($_REQUEST, 'fComparisonVersion'); | |
| 287 | + $comparison_version = sanitize(KTUtil::arrayGet($_REQUEST, 'fComparisonVersion')); | |
| 287 | 288 | if ($comparison_version=== null) { |
| 288 | 289 | $this->oPage->addError(sprintf(_kt("No comparison version was requested. Please <a href=\"%s\">select a version</a>."), KTUtil::addQueryStringSelf('action=history&fDocumentId=' . $document_id))); |
| 289 | 290 | return $this->do_error(); | ... | ... |